5 IntroductionNational infrastructure utilities directly affect the well-being of nations’ civilians, thus it is a prime target for terroristsThe “Holy Grail” for an attacker in the SCADA environment is the Control CenterWe strongly believe that in order to thwart such attacks, it is necessary to conduct the same offensive research

7 Background3 Critical vulnerabilities in GE-Fanuc Cimplicity and Proficy were disclosed by us at S (including a stable heap overflow)Even this was the first time that taking control over the SCADA server was demonstrated, there were a few engineers who doubted that it would allow an attacker to cause real damageSkeptics fuel progress – time for stage II 

8 The Problem The #1 claim from big-scale SCADA operations is:Even if you assume complete control over our control center – you will not be able to cause substantial physical damage as:1. You’re not a control engineer, so you wont understand what you’re seeing on the HMI2. You wont find any documentation on the network to allow you to map the SCADA network addresses and their datapoints to their “meaning” – what they control in the physical world

9 The ProblemWithout a mapping of the addresses & datapoints to physical locations and controlled devices, it is very difficult to generate malicious packetsSuch a map can usually be found on the operators workstations and the SCADA server as a tag database. Each tag is a user friendly name given to an address/datapoint“We keep the mapping only in paper copy” etc.Mmmm… strange, but let’s play along

10 Translation to IT Security TermsSecurity by obscurityTo be completely honest – it’s one of the few places where it might actually work!Two “shortcuts” to beating security by obscurity are missing:Can’t trigger eventsFew (if any) string anchors

12 The Solution Base assumptions: The GoodAssumption 1 – Security by obscurity works. We will never know what the data “means”Already discussedNo “silver bullet” – can’t cause “aurora” style attack as we don’t what kind of generator is used nor where is it located logicallyAssumption 2 – Even if we’ll have the map, causing substantial damage is difficultComplexity – mitigated by getting a control engineer on-boardSafety mechanisms – 3 cases in the past year where these failed due to mechanical or human error

13 Base Assumptions (cont.)The BadAssumption 3 – Control protocols are simple95% are Start/Stop, TLV, or fixed size and formatAssumption 4 – We own the communication server (aka FEP)This is were we left off in our previous research, for more details see:The UglyAssumption 5 - Humans need more electricity when they are awake

17 Attack VectorThe main goal of the control center is to keep the grid balance - generation should match the demandFrom the previous graphs we see that:In the morning the grid utilization is increasedIn the evening it is decreasedHow does this work to our advantage?Let’s turn night into day, and vice versaNo need to know what we’re sending as the operators already took care of that for us

18 Malware Design Install malware on the comm. ServerStage I – Learning ModeSniff traffic to and from the field (easy to distinguish)Create request/response pairs with a timestamp for day & night classificationAuto-identify “problematic” fieldsCRC/Parity FieldsTimestampsCountersSimple statistical computations

19 Malware Design Stage II – Active modeWhen enough packet data is collected, wait for the next critical time of day (dawn, nightfall)Drop all messages coming from the SCADA serverInstead, sent the commands of the opposite timeframe to the field

20 Malware Design What will happen in Active Mode? Example – sunrise timeElectricity demand constantly risesThe field devices will receive night-time command – e.g. “disconnect aux. power plant from the grid” , “lower power output from main power plant” etc.Operators will try to connect more power plants, without success as the commands are ignoredNetwork instability – supply will not meet the demandPotentially causing blackoutsMay change electric frequency

21 Advanced Attack VectorAn even nastier approach is to record communication between the comm. server and SCADA server as wellWhen the systems goes from “learn mode” to “active mode” perform two actions:Send the control data to the field as previously mentionedDon’t drop the SCADA server requests, send responses which it expects at this time from the field

22 Advanced Attack VectorExpected resultField devices are performing the exact opposite of their required behaviorSCADA operators see that everything is running smoothly

23 One time insertion of the malware, no need for ongoing communicationsDesign AdvantagesLittle to zero knowledge on the network design and implementation is requiredOne time insertion of the malware, no need for ongoing communicationsPhysical impact is likely

24 Drawbacks There are always exceptions“We sign all messages” - ~<1%, very modernUnique network architecturesPrior knowledge of the protocols used will greatly increase the chance of impact as the “learn mode” will be well definedIndependent safety controls will alert the operators, and might contain the damage to a certain degreeLooking for guinea pigs!

25 Recommendations Relax Not FUD. It’s not going to happen tomorrowNot to be underestimated though - acknowledged by control center engineers from 3 T&D utilitiesThe goal is to increase awareness of the importance of securing your SCADA network

26 Recommendations Several potential mitigationsStrong authentication of messages between the SCADA server and communication serverField communication solutionsEncrypt or digitally sign messagesObfuscation with key swap every X days (Rrushi – S4 2007)Chaffing – switch live/simulation between two FEPs every dayThese solutions address the question – “How do I minimize the damage to my assets, even after my control center is compromised?”

27 Summary Choose your field protocols with security in mindAsset owners - demand quality software, which undergoes an ongoing assessment of its resilience to attackAnd on top of that - prevent control center compromise (assumption #4). Be prepared, audit yourselves!“All that is necessary for evil to triumph is for good men to do nothing”Edmund Burke, 1770